analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dpfPULccq-Fichero-ES.msi

Full analysis: https://app.any.run/tasks/bbef40e0-086a-4e81-bbfe-9e0f008cabab
Verdict: Malicious activity
Analysis date: October 20, 2020, 13:00:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {E1FF12C0-F1C5-40BE-88B7-9CE0109E808E}, Number of Words: 10, Subject: rubEGFvao, Author: nyyykpTPIwitts, Name of Creating Application: Advanced Installer 16.2 build 436ecd62, Template: ;3082, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

58AD63487A4D6FC0DD4A4636985880FF

SHA1:

9243A031D70C6B91AD94DF523745C99250E30831

SHA256:

91672165A54CA02931CB42A6C5EE7F9C5DC2D4932BDA240922FA6712BF7DC3C3

SSDEEP:

24576:CycFId/5IqVXCWJriAJb2DRMIHBPHofTl6VQU1YwY/3:Cyl5IqVXCWJriAJbuLBPHKTl6VQU1YwY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 3360)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3852)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Pages: 200
Keywords: Installer, MSI, Database
Title: Installation Database
Comments: -
Template: ;3082
Software: Advanced Installer 16.2 build 436ecd62
LastModifiedBy: -
Author: nyyykpTPIwitts
Subject: rubEGFvao
Words: 10
RevisionNumber: {E1FF12C0-F1C5-40BE-88B7-9CE0109E808E}
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
896"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\dpfPULccq-Fichero-ES.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3852C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3360C:\Windows\system32\MsiExec.exe -Embedding F57699961B0E81514E3C5CDBA3A75EF4C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
415
Read events
395
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3852msiexec.exeC:\Windows\Installer\MSI4462.tmp
MD5:
SHA256:
3852msiexec.exeC:\Windows\Installer\MSI4482.tmp
MD5:
SHA256:
3852msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF12C5B9DBC09CF6E1.TMP
MD5:
SHA256:
3852msiexec.exeC:\Windows\Installer\MSI4520.tmp
MD5:
SHA256:
3852msiexec.exeC:\Windows\Installer\2d4347.msiexecutable
MD5:58AD63487A4D6FC0DD4A4636985880FF
SHA256:91672165A54CA02931CB42A6C5EE7F9C5DC2D4932BDA240922FA6712BF7DC3C3
3852msiexec.exeC:\Windows\Installer\2d4349.ipibinary
MD5:67E2E62CACE7073C01AB4B47005C30A9
SHA256:E97EC5A8FF0E0AB63F0098132246CCA35C3B7D5246AE6DAA88F020A530BD7857
3852msiexec.exeC:\Windows\Installer\MSI4500.tmpbinary
MD5:1BF6FE2116E59430877C9E60DA92902E
SHA256:EE3E67196832A361DE7A352A14F565ED3A960F9E72B7CDAF548EEE848FD67C1A
3852msiexec.exeC:\Windows\Installer\MSI4561.tmpexecutable
MD5:B81FC21F9EA3D9C1D947389FC32C7D66
SHA256:E0B42DF2CB2B631B98213CC4B23273EBE71AE91E78BCB1218B4D81A2627328C6
3852msiexec.exeC:\Windows\Installer\MSI43E4.tmpexecutable
MD5:A3B4D222A755F43B34A0963F13F77500
SHA256:9692A12BAF2113DB4921678F3CF8746933D26D05141748FE09DCEF11E5D94F54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3360
MsiExec.exe
217.160.0.138:80
marceloxfoto.com
1&1 Internet SE
DE
malicious

DNS requests

Domain
IP
Reputation
marceloxfoto.com
  • 217.160.0.138
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dpfPULccq-Fichero-ES.msi